Ensure tempfile ownership is correct

treydock · Feb 23, 2025 · 61ff553 · 61ff553
1 parent 616585d
commit 61ff553
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/lib/puppet/provider/keycloak_api.rb b/lib/puppet/provider/keycloak_api.rb
@@ -58,6 +58,8 @@ def convert_property_value(value)
 
   def self.kcadm(action, resource, realm = nil, file = nil, fields = nil, print_id = false, params = nil)
     kcadm_wrapper = '/opt/keycloak/bin/kcadm-wrapper.sh'
+    keycloak_user ||= 'keycloak'
+    keycloak_group ||= 'keycloak'
 
     arguments = [action]
 
@@ -73,6 +75,14 @@ def self.kcadm(action, resource, realm = nil, file = nil, fields = nil, print_id
       arguments << escape(realm)
     end
     if file
+      Puppet.debug("Get Keycloak user UID for #{keycloak_user}")
+      uid = Etc.getpwnam(keycloak_user).uid
+      Puppet.debug("Get Keycloak group GID for #{keycloak_group}")
+      gid = Etc.getgrnam(keycloak_group).gid
+      # Force the 0600 mode tempfile to be readable only by 'keycloak' user
+      # so that the kcadm commands can be run as 'keycloak'
+      Puppet.debug("Change ownership of #{file} to #{keycloak_user}(#{uid}):#{keycloak_group}(#{gid})")
+      File.chown(uid, gid, file)
       arguments << '-f'
       arguments << file
     end